Exchange Online's conditional access features gives organizations tighter control over how they keep end users' devices and information safe.

Many organizations use Exchange Server's built-in ability to restrict device access via ActiveSync. This ability provides a baseline level of protection to ensure that only approved devices are allowed to connect to the organization while providing a way for administrators to instruct devices to require a PIN.

Unfortunately, ActiveSync's policies were defined long before iPhone, Android and modern Windows Phone devices existed. The options were aimed at Windows Mobile devices, but the small subset of policies available across most devices are limited and do little to protect content shared via email or protect against techniques such as jailbreaking.

Conditional access for Exchange Online fills this feature gap by working in combination with Microsoft Intune (and soon via Office 365 Mobile Device Management). Microsoft Intune controls this feature, and it is based on the state of the device that Exchange Online either blocks or allows. This functionality allows organizations to automate the process to validate if a device is safe to connect to the enterprise, therefore controlling Exchange Online access. We'll go over how to enable these features and explain how they appear to end users.

Prerequisites for conditional access

Before implementing conditional access for Exchange Online, it's important to ensure that the following prerequisites are in place.

An Office 365 tenant with Exchange Online mailboxes is configured and working.

A compliance policy containing the settings you want to enforce on the mobile device.

To start, log in to your existing Microsoft Intune tenant at https://portal.manage.microsoft.com. After logging in, navigate to the Policysection and verify that a compliance policy is defined. Our example, Exchange Online access policy, requires standard settings that ActiveSync can enforce, such as a device password. The policy also requires that the device must not be jailbroken and that Intune must manage the email account (Figure 1).

The default compliance policy

The settings ActiveSync can manage will be reflected via the Exchange Online connector in the Office 365 tenant. The Mobile Device Mailbox policy will be shown in the Exchange Admin Center within the Mobile tab. The managed InTune policy will have a unique WindowsIntune_ prefix (Figure 2).

An Intune-managed mobile device mailbox policy

Enable conditional access

With these prerequisites in place, we can now enable conditional access for Exchange Online ActiveSync devices.

Before enabling conditional access, use the reporting functionality to verify which end users are already out of policy or end users that can't be verified; the latter would risk losing temporary access until their devices are remediated.

We can then enable conditional access within InTune by navigating to the Policy tab, expanding the Conditional Access section and selecting Exchange Online Policy.

First, choose Block email apps from accessing Exchange Online if the device is noncompliant, then select the Targeted Groups before selecting a group. The group will either be a synchronized group via DirSync or a cloud-only group created in Azure AD. In our example, a group called "All Users" has been selected (Figure 3). To test before deploying to a wider end user base, you could select a smaller group with pilot end users.

Enabling conditional access

As an additonal option to block noncompliant devices, you can block all devices that Intune doesn't support. This option is under the Unsupported Platforms heading (Figure 4).

Blocking unsupported devices

After enabling conditional access, Intune will use the features in Exchange Online to block and quarantine devices until they're compliant. This means conditional access automates the management of the existing quarantine functionality provided with Office 365, giving you more control over Exchange Online access.

End user experience

After switching on conditional access, noncompliant devices will move into a quarantine status. The notification email sent to the device is different than a normal Exchange Quarantine message. It provides information to allow end users to download the Microsoft Intune application from their device's app store, and then enroll the device. One possible message an end user receives could ask them to enroll their device (Figure 5).

Notification email after conditional access is applied

When the device is in quarantine, all messages on the device are removed along with any other synchronized information such as contacts. The ActiveSync relationship between the device and Exchange Online remains intact, but the device simply can't synchronize mail or send messages.

The next step is to install the InTune application on the device. This will allow end users to log in using their Azure AD username and password (and if DirSync is used, their AD password) to enroll the device with InTune (Figure 6).

Enrollment for InTune is complete

After the enrollment process is complete, and assuming the device meets the requirements defined within the compliance policy, InTune will move the device back into a state where it's allowed to synchronize with Exchange Online. If the device falls out of policy, this Exchange Online access will be revoked.

About the author: Steve Goodman is an Exchange MVP and works as a technical architect for one of the U.K.'s leading Microsoft Gold partners. Goodman has worked extensively with Microsoft Exchange since version 5.5 and with Office 365 since its origins in Exchange Labs and Live@EDU.

Join the conversation

3 comments

Register

I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.

Please create a username to comment.

At this point, no, I would not consider using Exchange Online access to improve my organization's security and authentication procedures. My system already has very capable security software and threads that keep it very safe from malware and unwanted hacks and cyber attacks. Using the Exchange Online access services is a redundancy that I just do not see as useful or necessary for my enterprise's safety and success.